Network Detective Inspector User Guide
Transcription
Network Detective Inspector User Guide
Network Detective Inspector Software Appliance User Guide © 2016 RapidFire Tools, Inc. All rights reserved 20160520 – Ver 3R Network Detective™ Inspector Software Appliance Contents Overview ................................................................................................................................................. 3 Components of the Inspector Software Appliance ............................................................................... 3 Inspector Software Appliance .......................................................................................................... 3 Inspector Diagnostic Tool ................................................................................................................. 3 Network Detective Application ........................................................................................................ 3 Inspector Software Appliance Features ................................................................................................ 4 Network Assessment Network Scan ................................................................................................. 4 Layer 2/3 Discovery of Network Devices (Exclusive to the Inspector) ............................................... 4 Internal Vulnerability Scan (Exclusive to the Inspector) .................................................................... 4 Local Collector Push for Login Anomaly Reporting Scan (Exclusive to the Inspector) ......................... 4 HIPAA Compliance and Risk Assessment Scans................................................................................. 5 PCI Compliance and Risk Assessment Scans ..................................................................................... 5 External Vulnerability Scan .............................................................................................................. 5 Automated Assessment Reporting ................................................................................................... 5 Remote Updating of the Inspector Software Appliance ........................................................................ 5 Automated Scanning and Scheduling Best Practices ................................................................................ 6 Getting Started ........................................................................................................................................ 7 Inspector Software Appliance Deployment Options ............................................................................. 7 Installing the Inspector Software Appliance on Hyper-V ....................................................................... 7 Starting the Inspector Software Appliance on Hyper-V......................................................................... 7 Connecting the Optional Network Detective Hardware Appliance ....................................................... 7 Associating the Inspector Software Appliance to a Site ........................................................................ 8 Step 1 - Creating a New Site ............................................................................................................. 8 Step 2 - Adding an Inspector to a Site ............................................................................................... 9 Creating New Scans ............................................................................................................................... 11 Selecting and Configuring Data Collection Scans Using Inspector ................................................... 14 Network Scan ................................................................................................................................ 14 SQL Server Data Collection............................................................................................................. 22 Local Data Scans ............................................................................................................................ 23 Internal Vulnerability Scan ............................................................................................................. 25 1 Network Detective™ Inspector Software Appliance Layer 2/3 Discovery and Network Scan .......................................................................................... 31 Local Collector Push Scan for Logon Anomaly Reporting ................................................................ 39 HIPAA Compliance Scans................................................................................................................ 47 PCI Compliance Scans .................................................................................................................... 47 External Vulnerability Scan ............................................................................................................ 49 Managing the Scan Queue ..................................................................................................................... 50 Scheduling a Scan .......................................................................................................................... 53 Scan Task Library versus Scan Tasks Queue ........................................................................................ 54 Cancelling a Scan ............................................................................................................................... 54 Downloading Scans ............................................................................................................................... 55 Configuring the Local Data Scan Merges ................................................................................................ 57 Using the Manage Inspector Appliance Feature to Configure Automatic Report Generation .................. 61 Setting Up Automatic Reports for Network Assessments ................................................................... 61 Setting Up Automatic Reports for Security Assessments .................................................................... 64 Setting Up Automatic Reports for SQL Server Assessments ................................................................ 67 Setting Up Automatic Reports for HIPAA Compliance Assessments .................................................... 70 Setting Up Automatic Reports for PCI Compliance Assessments......................................................... 73 Updating a Software Appliance.............................................................................................................. 76 Appendices............................................................................................................................................ 78 Appendix I ......................................................................................................................................... 78 Inspector Diagnostic Tool ............................................................................................................... 78 2 Network Detective™ Inspector Software Appliance Overview The Inspector Software Appliance is an appliance-based system used for performing scheduled IT assessment scans and deeper dive diagnostics. This guide is designed to provide an overview and specific steps required to install and configure the Inspector Software Appliance and schedule the collection of network and security assessment data, SQL Server assessment data, Internal Network Vulnerability assessment data, Layer2/3 Discovery and Network assessment data, Local Login Anomaly assessment data, HIPAA Compliance assessment data, and PCI Compliance assessment data to be used with other Network Detective modules. Components of the Inspector Software Appliance Inspector Software Appliance This is the Inspector software application that operates on either the Network Detective Hardware Appliance or on a user supplied Microsoft Hyper-V based system. Optional Network Detective Hardware Appliance This is an optional hardware component that can be purchased from RapidFire Tools to host and operate the Inspector Software Appliance. It is a small, portable appliance which plugs into the target network through an Ethernet connection. Inspector Diagnostic Tool This tool is used for configuring and troubleshooting the Inspector. The Diagnostic Tool should be run on the same network as the Inspector to perform diagnostics checks such as for Inspector connectivity or for available updates. Network Detective Application This is the same Network Detective desktop application and report generator that is used with any other Network Detective modules. This application contains additional features to manage the Inspector remotely. 3 Network Detective™ Inspector Software Appliance Inspector Software Appliance Features One key purpose of the Inspector is to perform scans from the point-of-view of the client’s internal network. Below is an overview of the scans that can be performed by the Inspector Software Appliance. Network Assessment Network Scan Note that this feature requires the Network Assessment Module. The full Network Assessment Scan from the point-of-view of the Inspector Software Appliance. The resulting scan can be used to generate reports from the Network Assessment module. Layer 2/3 Discovery of Network Devices (Exclusive to the Inspector) Run when the Network Assessment Network Scan is executed. Scans network devices for Layer 2 and Layer 3 connectivity information. The scans are used to generate Layer 2/3 diagram and detail reports. Internal Vulnerability Scan (Exclusive to the Inspector) This scan takes advantage of the point-of-view provided by being connected to the client’s internal network. Data is collected about Open Ports and Protocol Vulnerability that would be exploited once a hacker is in the network. The Internal Vulnerability Scan focuses on INSIDE attacking INSIDE whereas the External Vulnerability scan checks for OUTSIDE attacking EDGE (INSIDE). Internal vulnerability scans are similar to external vulnerability scans; however, are performed from inside the target network. They look for vulnerabilities that are normally blocked externally by firewalls. Within a network, un-patched or vulnerable systems may exist that an external scan may not capture. This scan option performs a vulnerability scans with additional options which may be more intensive than the external equivalent. Please be aware that the scans may be resource intensive and should be run during non-business hours if possible. Local Collector Push for Login Anomaly Reporting Scan (Exclusive to the Inspector) This scan gathers information regarding various user logins into the client’s environment. This scan is used to produce the Login Anomalies report which analyzes the user login data and looks for anomalous user behavior. 4 Network Detective™ Inspector Software Appliance HIPAA Compliance and Risk Assessment Scans Note that this feature requires the HIPAA Assessment Module. These network and local scans can be scheduled and executed by Inspector in order to identify ePHI, network vulnerabilities, security vulnerabilities, and local computer vulnerabilities necessary to perform a HIPAA IT Risk Assessment. PCI Compliance and Risk Assessment Scans Note that this feature requires the PCI Assessment Module. These network and local scans can be scheduled and executed by Inspector in order to identify credit/debit card Primary Account Number (PAN) data, network vulnerabilities, security vulnerabilities, and local computer vulnerabilities necessary to perform a PCI Data Security Standard (DSS) Compliance and IT Risk Assessment. External Vulnerability Scan External Vulnerability scans are performed at the external “Network Edge” to check for security holes and weakness that can help you help make better network security decisions. The External Vulnerability Scan performed by Inspector includes a full NMap Scan which checks all 65,535 ports and reports which are open. This is an essential scan and is a standard security check to ensure a viable security policy has been defined, implemented and maintained to protect the network from outside attacks Automated Assessment Reporting Automatic Report Generation enables you to use the Inspector to schedule and generate of a number of assessment reports associated with the following: Network Assessments Security Assessments SQL Server HIPAA Compliance Assessments PCI Compliance Assessments Remote Updating of the Inspector Software Appliance The Inspector Software Appliance is easy to update remotely. Updates include bug fixes, new features, and additional scans types. 5 Network Detective™ Inspector Software Appliance Automated Scanning and Scheduling Best Practices It is recommended that Network, Local Computer, External Vulnerability, Layer 2/3 Discovery and Network, and the Local Collector Push for Login Anomaly Reporting scans are scheduled to be performed on a weekly basis. It is recommended that Internal Vulnerability scans are scheduled to be performed on a monthly basis or after any significant IT infrastructure change has taken place. 6 Network Detective™ Inspector Software Appliance Getting Started Inspector Software Appliance Deployment Options There are two Inspector Software Appliance deployment options available to users: Inspector Software Appliance deployment on a user owned and operated Hyper-V base system Inspector Software Appliance deployment on the Network Detective Hardware Appliance Installing the Inspector Software Appliance on Hyper-V Please refer to the Virtual Appliance Installation Guide. Starting the Inspector Software Appliance on Hyper-V Start the Inspector Software Appliance on the Hyper-V based system. Take note of the Inspector Appliance ID which will be required when you Associate the Inspector Software Appliance with your Assessment Project. Connecting the Optional Network Detective Hardware Appliance To set up the Network Detective Hardware Appliance used to operate the Inspector Software Appliance, first go to the physical location of the target network. After finding a secure location for the device, connecting it to the network can be accomplished in two easy steps: 7 Network Detective™ Inspector Software Appliance Associating the Inspector Software Appliance to a Site Before using the Inspector Software Appliance, the Inspector must be associated with a Site in the Network Detective Application. Step 1 - Creating a New Site If you have not yet added any Sites, open the Network Detective Application and navigate to New Site from the Home screen. Define a name for the Site. This should be unique and easily identifiable, such as the customer name or physical location. 8 Network Detective™ Inspector Software Appliance Step 2 - Adding an Inspector to a Site Adding an Inspector to a Site After starting a new assessment, or within an existing assessment, in order to “Associate” an Inspector Software Appliance with the Assessment Project, you must first select the V symbol to expand the assessment properties view. This action will expand the Assessment’s properties for you to view and to add a Software Appliance to the Assessment. To add an Appliance to an Assessment, from the Assessment Window select the Appliance button, then the Appliances Add button as noted above. Select the Appliance ID of the Appliance from the drop down menu. Note: When users have purchased a Network Detective Hardware Appliance, the Appliance ID can be found on a printed label on the Hardware Appliance itself. 9 Network Detective™ Inspector Software Appliance After successfully adding an Appliance it will appear under the Appliance bar in the Assessment Window. To view a list of all Appliances and their associated Sites, navigate to the Appliance tab from the top bar of the Network Detective Home screen. This will show a summary of all Appliances, their activity status, and other useful information. To return to the Site that you are using to perform your assessment, click on Home above and select the Site that you are using to perform your assessment. 10 Network Detective™ Inspector Software Appliance Creating New Scans After associating an Appliance with a customer specific Site used for performing assessments, it is very simple to configure Network Scans, Local Computer Scans, Internal Vulnerability Scans, Layer 2/3 Discovery and Network, and the Local Push Collector for Login Anomaly Reporting Scans using the Inspector Software Appliance remotely from within the Network Detective desktop application. With the Inspector Software Appliance, it is only necessary to go through the configuration and setup of a Network Scan one time. After completing the setup, the Scan configurations will be stored and associated with the Inspector Software Appliance to be run either on-demand or on a set schedule. To set up a scan, first, go to the target Site’s Assessment Window and verify that an Inspector has been successfully associated with the Site. The Inspector(s) will appear under the Appliances bar. If the Site does not already have an active Assessment, start a new Assessment by clicking Start and following the prompts to choose the desired type of Assessment. If an active Assessment is underway and available, the Assessment will be presented when the Site file is opened. 11 Network Detective™ Inspector Software Appliance Upon selecting the Active Assessment, you will be directed to the assessment’s Assessment Window. From the Site’s active Assessment, select Initiate Appliance Scan from the Scans bar. The Manage Appliance Tasks window will be displayed enabling you to select the IT or Compliance Assessment scan you want to perform, configure the scan task, and to store the scan task in the Inspector Task Library for either manual or scheduled execution. 12 Network Detective™ Inspector Software Appliance If this is the first time a Scan has been initiated from the Inspector Software Appliance, follow the Network Detective Data Collector’s Create Task prompts to configure the Scan. 13 Network Detective™ Inspector Software Appliance Selecting and Configuring Data Collection Scans Using Inspector Below is an overview of the scans that can be set-up and performed using the Inspector Software Appliance and the steps to set-up the scans to be performed automatically or manually. Network Scan Note that the Network Assessment Reports are only available as part of the Network Assessment module. Step 1: Initiate Appliance Scan From the Site’s active Assessment, select Initiate Appliance Scan from the Import Scans bar. The Manage Appliance Tasks window will be displayed enabling you to select the IT or Compliance Assessment Scan you want to perform, configure the scan task, and to store the scan task in the Inspector Task Library for either manual or scheduled execution. 14 Network Detective™ Inspector Software Appliance Step 2: Select Scan Type Choose Network Scan from the wizard and click the Next button. 15 Network Detective™ Inspector Software Appliance Step 3: Input Credentials Input administrative credentials to access the Domain Controller or indicate that the target network does not contain a Domain Controller. Step 4: Select Local Domains Choose either to scan all Domains detected on the target network or to restrict the Scan to selected Organizational Units (OUs) and Domains. 16 Network Detective™ Inspector Software Appliance Step 5: Input External Domains External Domain names allow others to visit the target site and facilitate services, such as email. Input External Domains here to include them as part of the data collection. Examples of External Domains include: example.com mycompany.biz Step 6: Specify IP Ranges 17 Network Detective™ Inspector Software Appliance The IP ranges from the target network will be auto-detected and included in the scan. To include additional subnets input them here. Step 7: Add SNMP Information By default, the software will retrieve data from devices with the community string “public.” If desired, define an additional community string (such as “private”) and enter it here. Step 8: Use MBSA Check Run MBSA to perform a weak password check. Check Include Patch Analysis to gather information on missing patches (this second option will increase the time required to perform the scan). 18 Network Detective™ Inspector Software Appliance Step 9: Verify and Schedule Check Send an email notification when schedule completes to notify a desire address upon completion of the scan. This option is recommended as the time a scan takes to complete varies depending on the target network. Click on the Finish button to complete the scheduling of the Network Scan task which will display the Appliance Tasks and Queue window. The scheduled Network Scan can be confirmed in the Appliance Tasks and Queue window that is displayed in the Task Library list referenced below. 19 Network Detective™ Inspector Software Appliance Upon viewing the scan task, you can select the “run now” option link under the Queue column to initiate the scan which will place the scan into the Queued Tasks list. Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval (daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to run. When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set the schedule action’s execution time. Please note that the time zone used for the CRON Builder time is Eastern Standard Time (EST). 20 Network Detective™ Inspector Software Appliance Note the Pending task present in the Queued Task list after the Run Now option has been selected for the Network Scan in the window below. 21 Network Detective™ Inspector Software Appliance SQL Server Data Collection To create this scan task, perform the following steps: 1. Select the Scan Type SQL Server Collection. 2. Follow the prompts to set-up the Credentials for the SQL Servers being assessed. 3. Verify the settings and Schedule the Scan. Note that the SQL Server Module’s Assessment Reports are only available as part of the SQL Server Module subscription. 22 Network Detective™ Inspector Software Appliance Local Data Scans Configuring Network Local Collection Push Scan 1. Select the Network Local Collection Push scan to perform a network scan on remote computers. 2. Follow the prompts to set-up the Credentials and Remote Computer IP Addresses for the equipment being scanned. 3. Verify the settings and schedule the scan. Configuring Security Local Collector Push Scan 1. Select the Security Local Collector Push Scan to perform a security scan on remote computers. 23 Network Detective™ Inspector Software Appliance 2. Follow the prompts to set-up the Credentials and Remote Computer IP Addresses for the equipment being scanned. 3. Verify the settings and schedule the scan. 24 Network Detective™ Inspector Software Appliance Internal Vulnerability Scan The Internal Vulnerability Scan is an exclusive feature available through the Inspector. Step 1: Initiate Appliance Scan From the Site’s active Assessment, select Initiate Appliance Scan from the Scans bar. The Manage Appliance Tasks window will be displayed enabling you to select the IT or compliance Assessment scan you want to perform, configure the scan task, and to store the scan task in the Inspector Task Library for either manual or scheduled execution. 25 Network Detective™ Inspector Software Appliance If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network Detective Data Collector Create Task Wizard prompts to configure the Scan. Step 2: Select Scan Type Choose Internal Vulnerability Scan from the wizard and click Next. The Ports to Scan window will be displayed. 26 Network Detective™ Inspector Software Appliance Step 3: Specify Ports to Scan When the Ports to Scan window is displayed. The Ports to Scan setup option allows you to select one of two available scanning options. One option, referenced as the Standard Scan, is used to scan Standard TCP ports and Top 1000 UDP ports. The second option, referenced as the Comprehensive Scan, is used to execute a comprehensive scan of all TCP ports and Top 1000 UDP ports. To proceed, select the appropriate number of ports to scan for your assessment’s purposes. Then select the Next button. The IP Ranges screen will be displayed. Step 4: Specify IP Ranges At this point the Inspector appliance will perform Auto-Detect to identify an IP address range that can be scanned. Alternatively, you can manually set the IP address range that you would like to scan during the scheduled internal vulnerability scan. IMPORTANT: THE AUTO-DETECT FEATURE WILL IDENTIFY THE IP RANGE OF THE INTERNAL SUBNET THAT IS FROM THE INSPECTOR. THIS COULD RESULT IN A SUBSTANTIALLY LARGER NUMBER OF IP ADDRESSES THAT WILL BE SCANNED VERSES THE ACTUAL NUMBER OF WORKSTATIONS, SERVERS, AND OTHER IP-BASED NETWORK COMPONENTS WHICH COULD BE A FAR SMALLER NUMBER. 27 Network Detective™ Inspector Software Appliance IF THIS INTERNAL VULNERABILTIY SCAN IS CONFIGUED TO INTERROGATE A LARGE NUMBER OF IP ADDRESSES THAT ARE NOT USED BY ANY DEVICE, THE VULNERABILITY SCAN MAY RESULT IN TAKING AN EXPONENTIALLY LONGER TIME THAN NECESSARY. Define the IP Range that you would like to scan and select Next button. The Create Task - Verify and Schedule window will be displayed. Step 5: Verify and Schedule Scan Task After the Create Task - Verify and Schedule window is displayed you can finalize the creation of the scan task. 28 Network Detective™ Inspector Software Appliance To have an Email Notification sent to you when the scan task completes, select the Send email notification when schedule completes option, and type in the email address where the notification should be sent. Click on the Finish button to complete the scheduling of the internal vulnerability scan task which will display the Appliance Tasks and Queue window. The scheduled internal vulnerability scan can be confirmed in the Appliance Tasks and Queue window that is displayed in the Task Library list referenced below. Upon viewing the scan task, you can select the “run now” option link under the Queue column to initiate the scan which will place the scan into the Queued Tasks list. Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval (daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to run. 29 Network Detective™ Inspector Software Appliance When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set the schedule action’s execution time. Please note that the time zone used for the CRON Builder time is Eastern Standard Time (EST). Note the Pending task present in the Queued Task list after the Run Now option has been selected for the Vulnerability Scan in the window below. 30 Network Detective™ Inspector Software Appliance Layer 2/3 Discovery and Network Scan The Layer 2/3 Discovery and Network Scan is an exclusive feature available through the Inspector. Step 1: Initiate Appliance Scan From the Site’s active Assessment, select Initiate Appliance Scan from the Scans bar. The Manage Appliance Tasks window will be displayed enabling you to select the IT or Compliance Assessment scan you want to perform, configure the scan task, and to store the scan task in the Inspector Task Library for either manual or scheduled execution. 31 Network Detective™ Inspector Software Appliance If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network Detective Data Collector prompts to configure the Scan Step 2: Select Scan Type Within the Assessment window, select the scan you are performing. Choose Layer 2/3 Discovery Network Scan from the wizard and click the Next button. 32 Network Detective™ Inspector Software Appliance Step 3: Input Credentials Input administrative credentials to access the Domain Controller or indicate that the target network does not contain a Domain Controller. Step 4: Select Local Domains Choose either to scan all Domains detected on the target network or to restrict the Scan to selected Organizational Units (OUs) and Domains. 33 Network Detective™ Inspector Software Appliance Step 5: Input External Domains External Domain names allow others to visit the target site and facilitate services, such as email. Input External Domains here to include them as part of the data collection. Then select the Next button to continue. Examples of External Domains include: example.com mycompany.biz 34 Network Detective™ Inspector Software Appliance Step 6: Specify IP Ranges The IP ranges from the target network will be auto-detected and included in the scan. To include additional subnets input them here. Then select the Next button to continue. Step 7: Add SNMP Information By default, the software will retrieve data from devices with the community string “public.” If desired, define an additional community string (such as “private”) and enter it here. Then select the Next button to continue. 35 Network Detective™ Inspector Software Appliance Step 8: Use MBSA Check Run MBSA to perform a weak password check. Check Include Patch Analysis to gather information on missing patches (this second option will increase the time required to perform the scan). Step 9: Verify and Schedule Check Send an email notification when schedule completes to notify a desire address upon completion of the scan. This option is recommended as the time a scan takes to complete varies depending on the target network. 36 Network Detective™ Inspector Software Appliance Click on the Finish button to complete the scheduling of the Configuring the Layer 2/3 Discovery Network Scan task which will display the Appliance Tasks and Queue window. The scheduled internal vulnerability scan can be confirmed in the Appliance Tasks and Queue window that is displayed in the Task Library list referenced below. Upon viewing the scan task, you can select the “run now” option link under the Queue column to initiate the scan which will place the scan into the Queued Tasks list. Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval (daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to run. 37 Network Detective™ Inspector Software Appliance When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set the schedule action’s execution time. Please note that the time zone used for the CRON Builder time is Eastern Standard Time (EST). Note the Pending task present in the Queued Task list after the Run Now option has been selected for the Layer 2/3 Discovery Network Scan in the window below. 38 Network Detective™ Inspector Software Appliance Local Collector Push Scan for Logon Anomaly Reporting The Local Collector Push Scan for Logon Anomaly Reporting is an exclusive feature available through the Inspector. Step 1: Initiate Appliance Scan From the Site’s active Assessment, select Initiate Appliance Scan from the Scans bar. The Manage Appliance Tasks window will be displayed enabling you to select the IT or Compliance Assessment Scan you want to perform, configure the scan task, and to store the scan task in the Inspector Task Library for either manual or scheduled execution. 39 Network Detective™ Inspector Software Appliance If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network Detective Data Collector prompts to configure the Scan Step 2: Select Scan Type Choose Local Collector Push for Logon Anomaly Reporting Scan from the wizard and click the Next button. 40 Network Detective™ Inspector Software Appliance Step 3: Input Credentials Input administrative credentials to access the Domain Controller or indicate that the target network does not contain a Domain Controller. Then select the Next button to continue. Step 4: Select Local Domains Choose either to scan all Domains detected on the target network or to restrict the Scan to selected Organizational Units (OUs) and Domains. Then select the Next button to continue. 41 Network Detective™ Inspector Software Appliance Step 5: Input External Domains External Domain names allow others to visit the target site and facilitate services, such as email. Input External Domains here to include them as part of the data collection. Then select the Next button to continue. Examples of External Domains include: example.com mycompany.biz Step 6: Specify IP Ranges 42 Network Detective™ Inspector Software Appliance The IP ranges from the target network will be auto-detected and included in the scan. To include additional subnets input them here. Then select the Next button to continue. Step 7: Add SNMP Information By default, the software will retrieve data from devices with the community string “public.” If desired, define an additional community string (such as “private”) and enter it here. Then select the Next button to continue. Step 8: Use MBSA 43 Network Detective™ Inspector Software Appliance Check Run MBSA to perform a weak password check. Check Include Patch Analysis to gather information on missing patches (this second option will increase the time required to perform the scan). Then select the Next button to continue. Step 9: Verify and Schedule Check Send an email notification when schedule completes to notify a desire address upon completion of the scan. This option is recommended as the time a scan takes to complete varies depending on the target network. Click on the Finish button to complete the scheduling of the Local Collector Push for Logon Anomaly Reporting Scan task which will display the Appliance Tasks and Queue window. The scheduled Local Collector Push for Logon Anomaly Reporting scan can be confirmed in the Appliance Tasks and Queue window that is displayed in the Task Library list referenced below. 44 Network Detective™ Inspector Software Appliance Upon viewing the scan task, you can select the “run now” option link under the Queue column to initiate the scan which will place the scan into the Queued Tasks list. Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval (daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to run. When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set the schedule action’s execution time. Please note that the time zone used for the CRON Builder time is Eastern Standard Time (EST). Note the Pending task present in the Queued Task list after the Run Now option has been selected for the Local Collector Push for Logon Anomaly Reporting Scan in the window below. 45 Network Detective™ Inspector Software Appliance 46 Network Detective™ Inspector Software Appliance HIPAA Compliance Scans To learn more about how to configure the scans related to a HIPAA Compliance Assessment, please refer to the HIPAA Module with Inspector User Guide. Note that the HIPAA Module’s Assessment Reports are only available as part of the HIPAA Module subscription. PCI Compliance Scans To learn more about how to configure the scans related to a PCI Compliance Assessment, please refer to the PCI Module with Inspector User Guide. 47 Network Detective™ Inspector Software Appliance Note that the PCI Module’s Assessment Reports are only available as part of the PCI Module subscription. 48 Network Detective™ Inspector Software Appliance External Vulnerability Scan To create this scan task, perform the following steps: 1. Choose External Scans Scan Type from the wizard and click the Next button. 2. Select the Scan Type External Vulnerability Scan. 2. Follow the prompts to set-up the IP Addresses of the equipment/network being scanned. 3. Verify the settings and Schedule the Scan. 49 Network Detective™ Inspector Software Appliance Managing the Scan Queue After going through the steps to Associate the Software Appliance with a Site and configuring Network Scans and storing them in the Task Library, it is a simple process to run either an immediate or scheduled Data Collection on the target network. Note that the Scan configuration process must only be completed one time and the resulting configuration will be stored for future use. This simplifies both automate and remote execution of Data Collections. To view the Scan Queue, first associate your Appliance with a Site. Then navigate to the target Site’s Assessment Window. After starting a new assessment, or within an existing assessment, in order to “Manage” an Appliance within the Assessment Project, you must first select the V symbol to expand the assessment properties view. This action will expand the Assessment’s properties for you to view and to add an Appliance to the Assessment. Under the Appliances bar in the Active Assessment window select the Manage button. This will bring up the Manage Appliance window and present the Task Library and the Queued Tasks. 50 Network Detective™ Inspector Software Appliance Running a Scan On-Demand Scans can be executed immediately through the use of the Run Now feature. To run a Scan configuration, locate the task in the Task Library and select run now. 51 Network Detective™ Inspector Software Appliance After the task has been queued, it will run as soon as resources are available. A Scan that is run ondemand (i.e. instead of on a schedule) will have no value in the table under the Next Run column. 52 Network Detective™ Inspector Software Appliance Scheduling a Scan To schedule a scan, select the Schedule option available within a Scan Task listed within the Task Library. To run a Scan configuration on a regular basis or at a future date, locate the Scan in the Task Library and select schedule. This will bring up the CRON Builder. Choose a date, time, or other periodic range from the drop-downs in the CRON Builder. Please note that the time zone used for the CRON Builder time is Eastern Standard Time (EST). After selecting a time frame, the scans will be executed according to the given schedule. Please be aware that only one scan of a particular type can execute on the Inspector appliance at a time. 53 Network Detective™ Inspector Software Appliance After the schedule is set, the table entry for the Scan in Queued Tasks will display the next run time and whether or not the scan will repeat the schedule. Please be aware that the scans may be intensive and should be run during non-business hours if possible. Scan Task Library versus Scan Tasks Queue The Scan Task Library contains saved Scan configurations which can be run on demand or on a schedule to conduct Network Scans. The advantage of the Scan Task Library is that the Network Scan configurations can be reused and run on-demand or on a schedule. There is no need to repeatedly enter the same information (such as the domain controller password or the IP Range) each time a data collection is performed using this model. The scans Tasks Queue lists the scans that are pending. Cancelling a Scan After the Site has been opened, select the V to expand the Assessment window to view any appliances associated with the site. Then select the Manage option present above the Appliance Status bar. The Manage Inspector window will be displayed. Then view the Queued Tasks located within the Manage Appliance window. 54 Network Detective™ Inspector Software Appliance From Queued Tasks, click the Delete button for the Scan. This will only delete the Scan from the Queue so it will not be run until it has been re-scheduled. The Scan configuration will still be stored in the Task Library. Downloading Scans Successfully completed Network Scans are immediately available to download through the Network Detective Application. After downloading these Scan files, they can be used to explore data or generate reports as needed. First, go to the Active Assessment of the Site associated with the Appliance. From the Assessment Window, select Download Scans from the Scans bar. 55 Network Detective™ Inspector Software Appliance All available Scans which have not yet been downloaded will be shown in a list. Check the desired Scans and choose Download Selected or select Download All to receive all Scans. After being successfully downloaded, Scans will immediately be displayed under the Scans bar and available for data exploration or report generation. 56 Network Detective™ Inspector Software Appliance Configuring the Local Data Scan Merges When local scans are performed by the Appliance, they can be merged into a particular domain data set. The Configuration of Local Scan Merges feature allows you to select which method you prefer to use when merging local scans. This setting will impact Alerts, Bulletins, and Automated Report Generation. To select the process to be used by the Appliance to Merge any Local Scan Data into a primary domain data set, perform the following steps. Step 1 – Select the Site Double click your mouse pointer on the Site that you are configuring automated scan and reports to be performed upon in order to view and access the Site. 57 Network Detective™ Inspector Software Appliance Step 2 – Select Manage Appliance After the Site has been opened, select the V to expand the Assessment window to view any appliances associated with the site. Then select the Manage option present above the Appliance Status bar. The Manage Inspector window will be displayed. 58 Network Detective™ Inspector Software Appliance Step 3 – Set Scan Data Merge Configuration Select the Configuration tab in the Manage Inspector Window to view the Local Scan Merge settings. 59 Network Detective™ Inspector Software Appliance Step 4 – Set the Local Scan Merge Settings Select the preferred Local Scan Merge method, or select, Do Not Merge Local Scans. Then select the Save and Close button to store the data merge settings. 60 Network Detective™ Inspector Software Appliance Using the Manage Inspector Appliance Feature to Configure Automatic Report Generation Below is an overview of the steps required to setup Automatic Report Generation for the following Assessment types: Network Assessments Security Assessments SQL Server Assessments HIPAA Compliance Assessments PCI Compliance Assessments Setting Up Automatic Reports for Network Assessments Automatic report generation for the Network Assessment Module requires that the scans be run on an Inspector before a report can be generated. Following are the steps necessary to set up automatically generated reports for the Network Assessment Module: 1. Create a new assessment that is of the type Network Assessment. Associate your Inspector with the Site that this new Assessment is created. 2. Manage the Inspector and create a new Scan Task that collects the Network Assessment data. 61 Network Detective™ 3. Inspector Software Appliance After the scan task is created, Schedule the scan task for the times that are appropriate for this Assessment. 4. Using the Manage Inspector feature and the Task Library Window, create a Report Task that specifies desired reports from the Network Assessment Module. Keep in mind that reports for specific Assessment types can only be produced after the Scans required for a specific Assessment type have been performed. 5. Schedule the created Report Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the Inspector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan’s data either. 6. If the user has specified that reports be delivered by email, the specified email should receive an email with a .zip file of the reports attached as long as the zip file is less than 5 MB in size. 7. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule, view the generated reports by navigating to the Download Reports item on the left hand side of the Network Detective application. The Download Inspector Reports option will appear at the top of the Network Detective window. Then 62 Network Detective™ Inspector Software Appliance press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 8. Select and right click on a report to download the report. 63 Network Detective™ Inspector Software Appliance Setting Up Automatic Reports for Security Assessments Automatic report generation for the Security Assessment Module requires that the scans be run on an Inspector before a report can be generated. Following are the steps necessary to set up automatically generated reports for the Security Assessment Module: 1. Create a new assessment that is of the type Security Assessment. 2. Associate your Inspector with the Site that this new Assessment is created. 3. Manage the Inspector and create a new Scan Task that collects the Security Assessment data. 4. Schedule the Scan Task for the times that are appropriate for this Assessment. 5. Using the Manage Inspector feature and the Task Library Window, create a Report Task that specifies desired reports from the Security Assessment Module. Keep in mind that reports for specific Assessment types can only be produced after the Scans required for a specific Assessment type have been performed. 64 Network Detective™ Inspector Software Appliance 6. Schedule the created Report Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the Inspector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan’s data either. 7. If the user has specified that reports be delivered by email, the specified email should receive an email with a .zip file of the reports attached as long as the zip file is less than 5 MB in size. 8. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule time, view the generated reports by navigating to the Download Reports item on the left hand side of the Network Detective application. The Download Inspector Reports option will appear at the top of the Network Detective window. Then press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 65 Network Detective™ Inspector Software Appliance 9. Select and right click on a report to download the report. 66 Network Detective™ Inspector Software Appliance Setting Up Automatic Reports for SQL Server Assessments Automatic report generation for the SQL Server Assessment Module requires that the scans be run on an Inspector before a report can be generated. Following are the steps necessary to set up automatically generated reports for the SQL Server Assessment Module: 1. Create a new assessment that is of the type SQL Server Assessment. 2. Associate your Inspector with the Site that this new Assessment is created. 3. Manage the Inspector and create a new Scan Task that collects the SQL Server Assessment data. 4. Schedule the Scan Task for the times that are appropriate for this Assessment. 5. Using the Manage Inspector feature and the Task Library Window, create a Report Task that specifies desired reports from the SQL Server Assessment Module. Keep in mind that reports for specific Assessment types can only be produced after the Scans required for a specific Assessment type have been performed. 67 Network Detective™ Inspector Software Appliance 6. Schedule the created Report Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the Inspector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan’s data either. 7. If the user has specified that reports be delivered by email, the specified email should receive an email with a .zip file of the reports attached as long as the zip file is less than 5 MB in size. 8. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule time, view the generated reports by navigating to the Download Reports item on the left hand side of the Network Detective application. The Download Inspector Reports option will appear at the top of the Network Detective window. Then press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 68 Network Detective™ Inspector Software Appliance 9. Select and right click on a report to download the report. 69 Network Detective™ Inspector Software Appliance Setting Up Automatic Reports for HIPAA Compliance Assessments Automatic report generation for the HIPAA Compliance Module requires that a full assessment that includes scans, worksheets and surveys be completed and synced with the Inspector Software Appliance before reports can be generated. This is the only way for user completed forms to be transferred to the Inspector. Once the assessment is complete and synced, new scans can be run on an Inspector and new reports be generated with the previously specified Inform-based Survey and Worksheet data. Following are the steps necessary to set up automatically generated reports for the HIPAA Compliance Module: 1. Using Network Detective, create a new assessment that is of the type HIPAA Risk Assessment. 2. Associate your Inspector Software Appliance with the Site that this new HIPAA Assessment is created within. 3. Complete all the requirements for a successful HIPAA Risk Assessment within this new assessment. This includes external scans, network scans, local scans, and all appropriate inform-based Surveys and Worksheets. When this step is complete the user should be able to generate all HIPAA reports. The user is free to use the Inspector during this initiate HIPAA Assessment to gather the scan information as appropriate. 4. Once satisfied with a complete HIPAA assessment, press the “Finish” button. Confirm that you wish to upload the data to the Inspector to be used with automatic report generation. 5. Start a new Assessment that is of the type HIPAA Risk Assessment 6. On the Create New Assessment Wizard Screen, select the checkbox to sync the assessment to the Inspector. 70 Network Detective™ Inspector Software Appliance 7. Manage the Inspector and set up a task schedule or schedules for collecting data as desired. 8. Schedule the created Report Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the Inspector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan’s data either. Keep in mind that reports for specific Assessment types can only be produced after the Scans required for a specific Assessment type have been performed. 9. If the user has specified that reports be delivered by email, the specified email should receive an email with a .zip file of the reports attached as long as the zip file is less than 5 MB in size. 10. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule, view the generated reports by navigating to the Download Reports item on the left hand side of the Network Detective application. The Download Inspector Reports option will appear at the top of the Network Detective window. Then press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 11. Select and right click on a report to download the report. 12. If an “Exception Report” is present in the available reports, or was contained in the .zip file sent in the notification email OR if you feel that data in the generated report is using data from an inform-based worksheet or survey that is outdated: 71 Network Detective™ Inspector Software Appliance a. Note any missing elements present in the Exception report (if present) b. Update Inform forms in currently active Assessment to reflect that data desired. c. If current Informs do not contain the topics that are noted as missing: i. Press the “Finish” button for the currently active Assessment. ii. DO NOT agree to the question which asks if you would like to sync the data to the Inspector. iii. Start a new active Assessment. Check the checkbox which says “Sync with latest Inspector scan” iv. New assessment with latest data from Inspector will be created. Update Inform as appropriate. d. Press “Finish” button for currently active Assessment e. DO agree to sync the data to the Inspector. f. Then return to step 5 above. 72 Network Detective™ Inspector Software Appliance Setting Up Automatic Reports for PCI Compliance Assessments Automatic report generation for the PCI Compliance Module requires that a full assessment that includes scans, worksheets and surveys be completed and synced with the Inspector before reports can be generated. This is the only way for user completed forms to be transferred to the Inspector. Once the assessment is complete and synced, new scans can be run on an Inspector and new reports be generated with the previously specified Inform-based Survey and Worksheet data. Following are the steps necessary to set up automatically generated reports for the PCI Compliance Module: 1. Using Network Detective, create a new assessment that is of the type PCI Risk Assessment. 2. Associate your Inspector with the Site that this new PCI Assessment is created. 3. Complete all the requirements for a successful PCI Risk Assessment within this new assessment. This includes external scans, network scans, local scans, and all appropriate inform-based surveys and worksheets. When this step is complete the user should be able to generate all PCI reports. The user is free to use the Inspector during this initial PCI Assessment to gather the scan information as appropriate. 4. Once satisfied with a complete assessment, press the “Finish” button. Confirm that you wish to upload the data to the Inspector to be used with automatic report generation. 5. Start a new Assessment that is of the type PCI Risk Assessment. 6. On the Create New Assessment Wizard Screen, select the checkbox to sync the assessment to the Inspector. 73 Network Detective™ Inspector Software Appliance 7. Manage the Inspector and set up a task schedule or schedules for collecting data as desired. 8. Manage the Inspector and set up reporting tasks for times that are certain to be not when the data collection tasks are running. Keep in mind that reports for specific Assessment types can only be produced after the Scans required for a specific Assessment type have been performed. 9. If the user has specified that reports be delivered by mail, the specified email should receive an email with a zip of the reports attached as long as the zip file is less than 5 MB in size. 10. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule, view the generated reports by navigating to the Download Reports item on the left hand side, and press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 11. Select and right click on a report to download the report. 12. If an “Exception Report” is present in the available reports, or was contained in the zip sent in the notification email OR if you feel that data in the generated report is using data from an inform-based worksheet or survey that is outdated: a. Note any missing elements present in the Exception report (if present) b. Update Inform forms in currently active Assessment to reflect that data desired. c. If current Informs do not contain the topics that are noted as missing: 74 Network Detective™ Inspector Software Appliance i. Press the “Finish” button for the currently active Assessment. ii. DO NOT agree to the question which asks if you would like to sync the data to the Inspector. iii. Start a new active Assessment. Check the checkbox which says “Sync with latest Inspector scan” iv. New assessment with latest data from Inspector will be created. Update Inform as appropriate. d. Press “Finish” button for currently active Assessment e. DO agree to sync the data to the Inspector. Then return to step 5 above. 75 Network Detective™ Inspector Software Appliance Updating a Software Appliance After installing a Software Appliance at the Site’s physical location and associating the Software Appliance with a Site in the Network Detective Application, it’s important to regularly update the Appliance to get the most out of the features available on the Software Appliance you are using which may include one or more of the following Data Collections, Automated Reports, Tech-Alerts, and Security Bulletins. In the Network Detective Application, navigate to Network Detective ribbon bar and select the Appliances icon. This action will display the Software Appliances window that lists all of the Appliances that are available for use within Network Detective. To update the selected Software Appliance, right click on the Appliance’s name, and select the Update menu option presented as displayed below. 76 Network Detective™ Inspector Software Appliance Note that the Update menu will only be visible if software updates are available. IMPORTANT: The Appliance Update Now feature, when activated to update the Software Appliance, will shut down any tasks that are currently running on the Software Appliance. Before updating the Software Appliance, either stop a currently running task listed in the Task Library window Queued Tasks list, or perform the update after running tasks are completed. A dialog will appear confirming the request for a software update. 77 Network Detective™ Inspector Software Appliance Appendices Appendix I Inspector Diagnostic Tool The Diagnostic Tool is used to gather relevant diagnostic information, test connectivity, manage updates, and allow remote support to the Inspector appliance. 78 Network Detective™ Inspector Software Appliance Available Commands There are a number of commands available within the Appliance Manager. Location and Information Locate Network Detective Appliance Re-initialize the Inspector discovery process and attempts to retrieve the Device ID number and other diagnostic information. Get Appliance Device ID Display the Inspector Appliance’s Device ID, used when associating the Inspector Appliance with a Site in the Network Detective Application. Diagnostics and Troubleshooting Appliance Diagnostics Queries the Inspector for diagnostic information used to verify running status, software, connectivity, and NIC Information. Ping Test from Appliance Performs a ping test directed at a specified host or IP address from the point of view of the Inspector itself. Note: network connectivity is required for the Inspector to operate properly. Get Log Files Retrieves diagnostics logs from the Inspector. Returns a link to download a .zip file containing run log information which may be used for further troubleshooting. Service Control Appliance Service Status Queries the Inspector to return its current status. The possible statuses are as follows: Idle: The device is online, but performing no action. Queued: The device is online and performing no action. A schedule is active and queued to run. Running: The device is online and currently running a schedule. Appliance Service Restart Requests a Service Restart from the Inspector. Exercise caution when using this command because it may interrupt any running Scan. Updating via USB Update Appliance via USB Requests the Inspector to update via USB. Attempts to detect a USB device. If a USB device is detected containing the necessary files is found to be connected to the Inspector an update will be performed. 79 Network Detective™ Inspector Software Appliance Please ensure that a USB stick containing the update is plugged into the USB port of the Inspector appliance. Check USB Update Status Returns the current status of a running update. Also attempts to detect any USB device with available updates. Remote Assistance Toggle Remote Assistance Status Instructs the Inspector to make itself available for Remote Assistance and to allow a technician to access the device for support. Check Remote Assistance Status Return the current status of Remote Assistance. Shutdown and Restart Restarts the Inspector Appliance. Shutdown Appliance Shuts down the Inspector Appliance. 80